PHP :: Bug #72413 :: mysqlnd segfault (fetch_row second parameter typemismatch)

Bug #72413

mysqlnd segfault (fetch_row second parameter typemismatch)

Submitted:

2016-06-15 14:47 UTC

Modified:

2017-10-24 05:17 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

martin dot koegler at brz dot gv dot at

Assigned:

mysql (profile)

Status:

Assigned

Package:

*General Issues

PHP Version:

5.6.22

OS:

Linux

Private report:

CVE-ID:

None

[2016-06-15 14:47 UTC] martin dot koegler at brz dot gv dot at

Description:
------------
If the MYSQLI_CURSOR_TYPE_READ_ONLY option is active on a mysqli statement, mysqlnd_fetch_stmt_row_cursor is selected as row fetch method.

mysqlnd_fetch_stmt_row_cursor expects a MYSQLND_STMT passed as "param" parameter.  mysqlnd_res::fetch_into passes a zval as this parameter, which yields to a crash.

Test script:
---------------
<?php
$link1=mysqli_connect(....);
$SQL="SELECT 1";
$stmt=$link1->prepare($SQL);
$stmt->attr_set(MYSQLI_STMT_ATTR_CURSOR_TYPE, MYSQLI_CURSOR_TYPE_READ_ONLY);
$stmt->execute();
$res = $stmt->get_result();
while($res->fetch_row());
?>


Expected result:
----------------
No segfault

Actual result:
--------------
Segfault in
1022                    SET_CLIENT_ERROR(*stmt->conn->error_info, CR_COMMANDS_OUT_OF_SYNC, UNKNOWN_SQLSTATE,

mysqlnd_fetch_stmt_row_cursor at ext/mysqlnd/mysqlnd_ps.c:1022
php_mysqlnd_res_fetch_into_pub at ext/mysqlnd/mysqlnd_result.c:1823

Patches

Pull Requests

History

[2016-06-19 13:22 UTC] laruence@php.net

-Status: Open +Status: Verified -Package: mysqlnd_uh +Package: *General Issues -Assigned To: +Assigned To: mysql

[2017-10-24 05:17 UTC] kalle@php.net

-Status: Verified +Status: Assigned

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2018 The PHP Group All rights reserved.	Last updated: Wed Jun 20 04:01:45 2018 UTC